SECURITY REPORT - About Keysight

Page created by Marvin Hubbard
 
CONTINUE READING
SECURITY REPORT - About Keysight
2019
SECURITY REPORT
SECURITY REPORT - About Keysight
TABLE OF CONTENTS

     01                     02 03
     Introduction           The Ixia Application      Top 5 Security Threat
                            and Threat Intelligence   Insights from 2018
     Page 3
                            Research Center
                                                      Page 9
                            Page 6

     04 05
     Security Watch List    Conclusion
     for 2019               Page 31
     Page 27

                                                                                                             2

INTRODUCTION         RESEARCH CENTER         THREAT INSIGHTS         SECURITY WATCH             CONCLUSION

                                                                                      2019 Ixia Security Report
SECURITY REPORT - About Keysight
SECTION

   01
    INTRODUCTION
     Welcome to the third annual Security
     Report issued by Ixia, a Keysight business.
     Each year, the Ixia Application and
     Threat Intelligence (ATI) Research Center
     summarizes the most interesting and
     prominent internet security trends. We
     analyze ATI data to help organizations
     understand where they can improve. We
     also analyze the data to predict the biggest
     hotspots for the coming year. In all our
     work, we aspire to help cybersecurity
     professionals strengthen their security
     posture by sharing knowledge of active
     exploits, new and old.

                                                                                                      3

INTRODUCTION        RESEARCH CENTER         THREAT INSIGHTS   SECURITY WATCH             CONCLUSION

                                                                               2019 Ixia Security Report
SECURITY REPORT - About Keysight
The Top 5 Security Issues from 2018
                        • Poor or lacking product security exposed
                          businesses to additional risk

                        • The human attack vector, via Phishing and Malware,
                          remained reliable

                        • Poor cyber hygiene continued to persist year
                          after year

                        • The good intention of sharing product vulnerability
                          information actually led to more attacks

                        • Crypto mining/jacking continued without abatement

                                                                                                  4

INTRODUCTION   RESEARCH CENTER         THREAT INSIGHTS    SECURITY WATCH             CONCLUSION

                                                                           2019 Ixia Security Report
SECURITY REPORT - About Keysight
Key Observations
                           In 2018, we observed many successful attacks based on historic

         A
                           vulnerabilities. Legacy attacks dating back to as far as 2009
                           remained effective. Hackers successfully compromised systems
                           when the systems were unpatched, or because no patch was
                           available for a legacy system. Widespread availability of
                           exploit software that targets well-known vulnerabilities also
                           contributed to the phenomenon. Bad security hygiene, in the
                           form of default login and password credentials, also contributed
                           to the problem.

                                                                          B
     Public cloud architectures created a second vector for new
     security attacks. Both home-grown and commercial software
     packages exhibited vulnerabilities. We categorize these into
     two basic groups: code vulnerabilities and configuration
     vulnerabilities. Misconfigured security and access policies
     were a major source of data breach in 2018.

                           Beneath the threats observed lies an unavoidable truth:

         C
                           Network and application complexity pose serious security
                           threats. Complexity continues to grow within enterprise and
                           service provider IT environments. This growing complexity
                           is creating new security vulnerabilities every day. Thwarting
                           security attacks starts with a continuous commitment to
                           security best practices. Tools augment your ability to mitigate
                           threats, but only security best practices can prevent them.

                                                                                                                        5

INTRODUCTION            RESEARCH CENTER              THREAT INSIGHTS            SECURITY WATCH             CONCLUSION

                                                                                                 2019 Ixia Security Report
SECURITY REPORT - About Keysight
SECTION

   02
    THE IXIA APPLICATION
    AND THREAT INTELLIGENCE
    RESEARCH CENTER
     Ixia’s strategy starts with an elite team of
     dedicated cybersecurity professionals that
     form the Ixia ATI Research Center. This
     globally distributed team works around
     the world and around the clock from
     locations like Singapore, California, Texas,
     Massachusetts, France, Romania, and India.
     They monitor and analyze the ever-evolving
     indicators that could threaten the security
     of IT networks. The team distills that
     knowledge into research and rule sets. We
     incorporate these insights into Ixia solutions
     to maximize your ability to detect and
     combat the latest threats.

                                                                                                       6

INTRODUCTION         RESEARCH CENTER         THREAT INSIGHTS   SECURITY WATCH             CONCLUSION

                                                                                2019 Ixia Security Report
SECURITY REPORT - About Keysight
The ATI team also contributes to the larger security     In many cases, the team can go from discovery
     community. The Ixia ATI team shares what it learns       to an Ixia product update within a 24-hour period.
     with vendors that have been hacked, private agencies
                                                              Input to the research process comes from
     (e.g., www.mitre.org), government agencies (e.g.,
                                                              many sources:
     NIST and DARPA), and at global security conferences
                                                               • International exploit databases
     such as Black Hat and RSA. Ixia also promotes a
     summer security school in Bucharest, Romania, to          • The Dark Web
     help train new security engineers.
                                                               • Scan of security news alerts and crowdsourcing
     The ATI team assesses and validates products that are
     meant to secure the enterprise. The team serves as a      • Twitter handles of other security researchers

     front line of defense, monitoring internet-connected      • Partner feeds
     products and analyzing observed behavior to discover
     exploitable weaknesses in any vendors’ product.           • Honeypots actively looking for attacks in the wild

     Security alerts and incidents happen all hours of the     • Independent research (testing and reverse
     day and night, so the team takes a follow-the-sun           engineering) by the ATI team
     approach. Dozens of engineers combine to form a
     single global team that can create and disseminate the
     latest security intelligence.

                                                                                                                           7

INTRODUCTION              RESEARCH CENTER             THREAT INSIGHTS            SECURITY WATCH               CONCLUSION

                                                                                                    2019 Ixia Security Report
SECURITY REPORT - About Keysight
Members of the team constantly poll multiple              Ixia’s ATI threat intelligence feed incorporates data
     sources to get insights into vulnerabilities. They        in a way no other provider offers. While others in the
     normalize, correlate, and organize the data to get a      industry create automated intelligence platforms
     clear direction on the threats and how to prioritize      or open source feeds, those solutions are generally
     them. Team members then investigate the threats           tailored to provide insights related to specific
     and either validate or dismiss them. They research        products in a vendor’s portfolio. For example, a feed
     everything to make sure that the threat detection and     from Microsoft may focus on vulnerabilities related
     prevention content deployed in our products is 100        to products and threats relative to the Microsoft
     percent correct. This deep research also gives them       portfolio. Ixia threat feeds look at the internet on
     the utmost confidence in our data and predictions.        a global scale, and provide actionable intelligence
                                                               based on internet-wide telemetry.
     The BreakingPoint company established the ATI team
     in 2005. Ixia acquired BreakingPoint in 2012. The         ATI intelligence takes the form of a “rap sheet.” A rap
     BreakingPoint solution is a security attack and traffic   sheet captures threat intelligence via a proprietary
     generator that network equipment manufacturers,           database of known bad actors or offenders. The
     service providers, governments, and enterprises           database is constantly updated, providing real-time
     use to validate network and security resiliency while     actionable threat intelligence. The team validates
     under load and attacks. Generating traffic using          blacklisted sites continuously, updating the database
     threats based on real-world research is just one          to ensure new threats are tracked and false positives
     way that Ixia and Keysight help harden solutions for      are removed. Automated rap sheets provide updates
     applications as diverse as automotive and Internet of     as often as every five minutes, delivering the data in
     Things (IoT) solutions.                                   real time to Ixia visibility solutions.

     The ATI team serves as the
     guard to security guardians -
     challenging others in the industry
     to improve their product security,
     and constantly monitoring to
     spot issues before they become
     epidemics. Ixia is committed to
     making it as hard as possible for
     hackers to succeed.

                                                                                                                                8

INTRODUCTION             RESEARCH CENTER              THREAT INSIGHTS             SECURITY WATCH                   CONCLUSION

                                                                                                         2019 Ixia Security Report
SECURITY REPORT - About Keysight
SECTION

   03
    TOP 5 SECURITY
    THREAT INSIGHTS
    FROM 2018
     2018 included a mixture of exploits, including

     some new, as well as many which we had seen

     before often modified to incorporate more

     known, unpatched vulnerabilities.

                                                                                                      9

INTRODUCTION         RESEARCH CENTER        THREAT INSIGHTS   SECURITY WATCH             CONCLUSION

                                                                               2019 Ixia Security Report
SECURITY REPORT - About Keysight
From the attacks observed, we can
     draw five major conclusions about
     the state of security threats in 2018:

                                            1. Software
                                        security cause the
                                        majority of product
                                          vulnerabilities

                                                                            2. Humans are the
         5. Crypto-jacking
                                                                             weakest link: We
       activity reached new
                                                                          click lots of avoidable
        peaks in 2018: This
                                                                          phishing and malware
        threat continues to
                                                                                    links
                grow

                 4. Security vulnerability                      3. Cyber hygiene
                     disclosures are a                           is at an all-time
                  double-edged sword:                          low: Vendors and
                    Both hackers and                            IT need to clean
                     vendors benefit                               up their act

                                                                                                           10

INTRODUCTION        RESEARCH CENTER          THREAT INSIGHTS       SECURITY WATCH              CONCLUSION

                                                                                     2019 Ixia Security Report
1. Software Security Flaws Cause the
     Majority of Product Vulnerabilities
     Software security flaws contributed to a record
     number of security incidents in 2018. We saw more
     new devices than ever before, but we also saw more
     devices designed and deployed without proper
     measures to stop, or even limit, threats.

     This was especially true for web applications, where
     bad actors succeeded by exploiting well-understood
     SQL injection and cross-site scripting vulnerabilities.
     The use of these two web attack vectors covers the full
     range of attack delivery, from common spam attacks
     to automated remote exploitation – the act of taking
     control of vulnerable servers on a global scale.

     Zero-day exploits gave hackers an advantage over
     IT security teams, who struggled to stay ahead of
     constant vulnerability disclosures. Some open source
     organizations attempted to proactively mitigate
     vulnerabilities by standardizing security controls and
     measures inside commonly used web development
     frameworks. However, code fragmentation makes it
     difficult for these central improvements to address the
     widespread problem.

                                                                                                                  11

INTRODUCTION             RESEARCH CENTER                THREAT INSIGHTS   SECURITY WATCH             CONCLUSION

                                                                                           2019 Ixia Security Report
Code sharing carries other risks, too. For example,
     a recent study 1 examined code fragments on the
     popular coding site Stack Overflow. The study found
     that many Stack Overflow answers contain security
     vulnerabilities. Developers need to ensure they
     validate all code for common security design flaws.

     To solve this problem, web developers and system
     architects must be educated on security best
     practices. Until developers embrace software design
     best practices, attackers will continue to exploit these
     vectors, sometimes at scale and with substantial
     consequences, as in the case of Equifax.

     Recent examples of exploits that resulted from poor
     software security practices included:
      • Android debugging

      • Apache Struts

      • Cisco Smart Install

     As Gabriel Cirlig explained in a 2018 blog post 2 ,
     numerous Android devices have debugging that is
     either turned on by default or enabled by unaware
     users. This leads to thousands of devices with their
     root access exposed on the internet. The Trinity
     malware took advantage of this product weakness and
     deployed crypto miners into many of these devices.

     1. https://laurent22.github.io/so-injections
     2. https://www.ixiacom.com/company/blog/trinity-p2p-
     malware-over-adb

                                                                                                                12

INTRODUCTION             RESEARCH CENTER               THREAT INSIGHTS   SECURITY WATCH             CONCLUSION

                                                                                          2019 Ixia Security Report
But how long can software vulnerabilities follow you?
     Figure 1 provides insight to this question. The Trinity
     malware exposed the Android root vulnerability in
     the summer of 2018, yet attacker interest continued
     months later, with Ixia honeypots seeing thousands of
     attempted attacks daily in December 2018.

     The Apache Struts product security weaknesses (CVE-
     2018-11776) also continued to plague the internet.
     The vulnerabilities are similar to those observed in
     2017, which resulted in the highly publicized Equifax
     hack that exposed sensitive data of 143 million
     people.1 These vulnerabilities put thousands of web
     applications at risk. Bad actors exploited these
     weaknesses, using Cryptojacking scripts to infect
     servers and compromise devices, infecting the devices
     with crypto mining malware.

     1. https://www.bugcrowd.com/threat-report-apache-struts-
     cve-2018-11776/

                                      But how long can software
                                      vulnerabilities follow you?

     14,000

     8,000

     2,000

                                                            DECEMBER 1-31, 2018

      Figure 1. Trinity malware uptick in December 2018

                                                                                                                         13

INTRODUCTION             RESEARCH CENTER                  THREAT INSIGHTS         SECURITY WATCH             CONCLUSION

                                                                                                   2019 Ixia Security Report
4,000

     3,000

     2,000

     1,000

         0
                                                 APRIL - DECEMBER, 2018

     Figure 2. Cisco Smart Install attack attempts in December 2018

     Cisco devices were also targets of this type of exploit
     in 2018. Cisco’s Smart Install feature, designed to
     provide simple configuration of new devices inside
     a network, provided the attack vector. Nearly two
     years earlier, researchers documented the security
     vulnerability and observed an exploit tool known
     as SIET1 in the wild. In 2018, new vulnerabilities in
     devices supporting the protocol revived interest in
     the exploit. Ixia honeypots started seeing thousands
     of daily exploit attempts after details of a new
     vulnerability came out, as shown in Figure 2.

     1. https://github.com/Sab0tag3d/SIET

                                                                          Recommendation 1:
                                                                          Buyers should research the common
                                                                          vulnerabilities database and confirm
                                                                          fixes with vendors before deploying
                                                                          new hardware or software upgrades.
                                                                          The CVE database can help customers
                                                                          gauge the security track record and
                                                                          response time of a vendor.

                                                                                                                              14

INTRODUCTION                   RESEARCH CENTER             THREAT INSIGHTS             SECURITY WATCH             CONCLUSION

                                                                                                        2019 Ixia Security Report
2. Humans are the Weakest Link
     Many recently documented compromises (such as the                    In 2018, Ixia systems detected 662,618 phishing
     John Podesta/U.S. Democratic National Committee                      pages in the wild, and 8,546,295 pages hosting or
           1
     hack ) started with a phishing attempt. As any                       infected by malware. Clearly, exposure reaches far
     security researcher can confirm, a well-crafted and                  beyond organizations with weak perimeter security.
     well-timed phishing attempt can confuse even the                     A successful attack on your infrastructure requires
     most tech-savvy expert into making a mistake that                    only a single errant click on an email or hypertext
     leads to a network compromise. An attacker can use                   call-to-action. While many infected pages that house
     the results of a successful phishing attack to execute               these attacks are taken down in hours or days, some
     an attack and drop malware on the target’s system.                   malware samples live online for years on abandoned
     Once deployed, the attacker can attempt to move                      websites. One good example is a web page that
     toward systems of higher value inside the network.                   serves an old version of the Cerber ransomware. Ixia
                                                                          first detected it on November 21, 2017, yet it is still
     Security against the human vector requires a
                                                                          online today. Even though this particular attacker is
     combination of the following:
                                                                          no longer active, the legacy of the malware lives on,
      • Educating users about the risks that exist in the wild
                                                                          infecting anyone that receives a recycled link.
      • Detecting and blocking phishing and malware that
        try to pass the network edge

      • Blocking endpoint infection attempts if a phishing
        attack succeeds

      • Detecting and blocking lateral movement when
        the previous techniques have failed

     1. https://www.apnews.com/dea73efc01594839957c3c9a6c962b8a

                                        Recommendation 2:
                                        Humans make mistakes. Even the most highly trained people
                                        can fall prey to phishing attacks. Technological aids or
                                        reminders can help reduce the probability of an attack. For
                                        example, an email program that highlights when an incoming
                                        email looks like potential spam or phishing, or when it is from
                                        an external entity, enables you to pay attention and carefully
                                        scrutinize the URLs contained in the email. Also, tools such as
                                        password managers enable computers to reinforce security
                                        and reduce incidents caused by human error.

                                                                                                                                          15

INTRODUCTION                 RESEARCH CENTER                      THREAT INSIGHTS            SECURITY WATCH                   CONCLUSION

                                                                                                                    2019 Ixia Security Report
3. Cyber Hygiene is at an
     All-time Low
     IT product vendors created code or configurations
     that caused many successful security breaches
     in 2018, but IT operations and security personnel
     also shared the blame. Well-known attacks
     and attack vectors remain successful because
     security personnel did not address architecture
     vulnerabilities and apply patches.

     This oversight is primarily due to two factors:
     ignorance of the latest patches, and challenges
     deploying frequent patches in a timely manner.
     Both factors leave businesses vulnerable. Many
     successful breaches in 2018 did not involve new
     versions of malware or attack methods – existing
     exploits targeting unpatched vulnerabilities proved
     to be very effective again in 2018.

     Here are some examples of this type of exploit:
      • Persistent brute forcing (public facing systems
        that can be brute forced)

      • EternalBlue (disclosed in 2017)

      • Dahua digital video recorders (a 5-year-old
        vulnerability)

      • CVE-2009-4140, a web application vulnerability
        from 2009

                                                                                                                16

INTRODUCTION             RESEARCH CENTER               THREAT INSIGHTS   SECURITY WATCH             CONCLUSION

                                                                                          2019 Ixia Security Report
Brute-force attacks have not let up in their 20th           There are multiple solutions to help prevent brute-
     year on the internet, and only continue to grow in          force attacks:
     popularity as devices proliferate. A remote brute-           • Utilizing public/private keys for remote
     force attack involves repeatedly guessing common               administration of servers
     usernames and passwords. This type of attack
                                                                  • Two-factor authentication for remote
     often targets an administrative console for a web
                                                                    administration
     application, a remote desktop session, or a listening
     service (like Secure Shell or Telnet). These services        • One-time-use factory-shipped passwords for
     exist on nearly every type of device, from the largest         embedded devices (IoT)
     assets in the world to millions of small embedded            • Disabling remote access until enabled by the
     devices found everywhere. IoT endpoints in particular          user with a custom password
     had many vulnerabilities in this category.

     Hackers most frequently attacked Telnet and SSH with
     brute-force attacks. IoT-targeting botnets (such as Mirai
     and its clones) prefer to target these two protocols.
     However, as the graph below shows, any service
     employing default or weak credentials is at risk.

                                                                                      Telnet-Brute-force

                                                                                      SSH-Brute-force

                                                                                      MySQL/MSSQL Brute-force

                                                                                      Generic PHP Application
                                                                                      Login Bruteforce

                                                                                      SMTP Authentication Bruteforce

                                                                                      VNC Bruteforce

                                                                                      Others

                                                                                   Figure 3. Top brute-force attacks in 2018

                                                                                                                               17

INTRODUCTION             RESEARCH CENTER                 THREAT INSIGHTS          SECURITY WATCH                   CONCLUSION

                                                                                                         2019 Ixia Security Report
Another well-known attack that continues to                     Mirai and other botnets continue to scan for
     proliferate is EternalBlue (CVE-2017-0144). The                 vulnerabilities that are more than 5 years old, such
     infamous WannaCry malware leveraged EternalBlue                 as Dahua DVRs and video cameras. Many victims
     in May 2017. Despite EternalBlue’s age, it continued            do not even realize they are affected. Ixia began
     to gain momentum in 2018. This vulnerability only               tracking Mirai-based bots soon after they started
     impacts hosts running Windows 7 or previous                     spreading. Ixia solutions identify the command and
     editions. Bad actors heavily scanned for vulnerable             control anomalies, as well as the bots themselves,
     systems throughout 2018; the number of scanning                 based on packet attributes.
     attempts for this vulnerability was three times greater
     in December 2018 than in January 2018. See the Ixia
     data in Figure 4.

        5M

        4M

        3M

        2M

         1M

          0
                                                        JANUARY - DECEMBER, 2018

              Figure 4. EternalBlue scanning attempts by bad actors in 2018

                                                                     One victim was a laundromat company.
                                                                     The botnet would compromise the company’s
                                                                     internet-connected security cameras, adding them to
                                                                     the botnet. The cameras would livestream footage of
                                                                     whatever they pointed at. As the exploit continued,
                                                                     the traffic would overload system resources. Once
                                                                     this happened, the cameras would stop working. The
                                                                     owner would reboot the cameras, and they would
                                                                     return to factory defaults. The cameras would behave
                                                                     normally for a few days, and then the cycle would
                                                                     repeat. The owners were unaware that the equipment
                                                                     kept failing because of product security design
                                                                     defects. Instead, they assumed they had purchased a
                                                                     cheap product with poor reliability.

                                                                                                                                  18

INTRODUCTION               RESEARCH CENTER                THREAT INSIGHTS              SECURITY WATCH                 CONCLUSION

                                                                                                            2019 Ixia Security Report
While a laundromat might seem innocuous, the                   Figure 5 shows one example of how hackers are still
         key point is that the IoT device threat is real.               trying to exploit older vulnerabilities in Dahua DVRs.
         These devices could be cameras, in-home routers,               Equipment that should have been patched or removed
         televisions, or millions of other things. Security             from the internet remains in place without remediation.
         patching requires ongoing investment from both
         the vendor and the device owner. If left unpatched,
         attackers will discover and exploit these design flaws.

  1600

  1400

  1200

  1000

   800

   600

   400

   200

    0

         August 2018            September 2018          October 2018               November 2018          December 2018

         Figure 5. Attackers still target Dahua DVR (CVE-2013-6117) exploit from 2013

                                                                                                                                       19

INTRODUCTION                  RESEARCH CENTER                 THREAT INSIGHTS                SECURITY WATCH                CONCLUSION

                                                                                                                 2019 Ixia Security Report
Additional research shows that many hackers                The CVE-2009-4140 vulnerability allows complete
     are simply opportunists. They try to find as               access to a system. Remote authenticated users
     many vulnerable older systems as they can. One             can execute arbitrary code by uploading a file to the
     example is CVE-2009-4140, which demonstrates               system. Activity targeting this old vulnerability for
     that opportunists will look through the archive of         web applications reappeared in Ixia honeypots in
     vulnerabilities to try to find exploitable systems         2018, as shown in Figure 6.
     running ancient software on the internet. Old
     equipment may still be in use or redeployed as a
     backup. Older software is less likely to receive patch
     updates or intrusion-detection and -prevention
     signatures for security threats, increasing risk for
     organizations that deploy it.

     500

     400

     300

     200

     100

       0
                                                JANUARY - DECEMBER, 2018

     Figure 6. CVE-2009-4140 exploitation continues

                                                                 Recommedation 3:
                                                                 Keep your business secure by
                                                                 reviewing public exploit websites
                                                                 (like www.mitre.org) to see a list of
                                                                 common vulnerabilities and apply
                                                                 the recommended patches and
                                                                 architectural fixes.

                                                                                                                             20

INTRODUCTION             RESEARCH CENTER               THREAT INSIGHTS            SECURITY WATCH                  CONCLUSION

                                                                                                        2019 Ixia Security Report
4. Security Vulnerability Disclosures
     are a Double-edged Sword
     Vulnerability reporting helps vendors and consumers
     identify security flaws. When security engineers
     find a zero-day vulnerability, security threat, or other
     exploit, sharing information quickly is a common
     practice, so that vendors can fix their code and IT
     teams can secure their networks. But vulnerability
     reporting also informs hackers, who often can
     move faster than vendors or enterprise IT. Ixia has
     observed more successful security attacks following
     the disclosure of new vulnerabilities.

     Here are examples of exploits where hackers were
     able to move faster than vendors and IT teams:
      • Mirai

      • Drupalgeddon

      • D-Link DSL-2750B remote code execution
        vulnerability

                                                                                                                 21

INTRODUCTION             RESEARCH CENTER                THREAT INSIGHTS   SECURITY WATCH             CONCLUSION

                                                                                           2019 Ixia Security Report
Mirai, the botnet that hit the internet in 2016, originally used brute force to target
     embedded devices listening on Telnet. Mirai source code was released to open
     source communities, spawning many copycat versions that use brute-force SSH
     attacks and incorporate multiple other embedded device vulnerabilities to increase
     the rate of compromise. Mirai derivatives remain high on the list of active botnets
     on the Internet and remain a persistent and evolving threat to embedded Linux
     systems. Figure 7 illustrates the ongoing risk from this attack.

     50M

     40M

     30M

     20M

      10M

       0
                                                         JANUARY - DECEMBER, 2018
            Figure 7. Mirai resurgence in late 2018

                                                                                                                             22

INTRODUCTION                 RESEARCH CENTER            THREAT INSIGHTS               SECURITY WATCH             CONCLUSION

                                                                                                       2019 Ixia Security Report
Drupalgeddon, originally referred to as CVE-2014-3704, is a SQL injection
     vulnerability that targets the Drupal web framework. Last year, researchers
     uncovered and responsibly disclosed similarly dangerous flaws that they dubbed
     Drupalgeddon 2 and 3. Drupalgeddon 2 (CVE-2018-7600) was responsibly
     disclosed. The researcher warned the development team, giving the team time to
     create and issue a patch before the exploit details became public. After private
     notification, the researcher released information necessary to exploit each
     vulnerability on April 12 and April 25, 2018, respectively. As shown in Figure 8,
     exploit attempts quickly followed.

     Interest in these two vulnerabilities then waned, mainly because the fast patching
     process quickly reduced the number of available targets.

     1600

     1400

     1200

     1000

     800

     600

     400

     200

       0
            April 1, 2018            April 15                     April 29               May 13                 May 27

     Figure 8. Drupalgeddon 2 and 3 attack waves start in April

     4500

     4000

     3500

     3000

     2500

     2000

     1500

     1000

      500

        0
             January 2018    March               May                         July    September       November

     Figure 9. Drupalgeddon 2 and 3 attacks wane after May 2018

                                                                                                                           23

INTRODUCTION                RESEARCH CENTER              THREAT INSIGHTS            SECURITY WATCH                CONCLUSION

                                                                                                     2019 Ixia Security Report
20,000

     18,000

     16,000

     14,000

     12,000

     10,000

      8,000

      6,000

      4,000

      2,000

         0
              January 2018     March            May             July          Septmber       Septmber

     Figure 10. D-Link DSL-2750B exploit

     On May 25, 2018, a new tool emerged that exploited a
     vulnerability in D-Link DSL-2750B routers. Attackers
     quickly seized the new tool and attempted to exploit
     the vulnerability. Interest peaked in August and
     September when newer versions of Mirai clones
     attempted to exploit this vulnerability.

                                                              Recommedation 4:
                                                              Disclosing vulnerability and exploit
                                                              information in closed communities
                                                              can reduce risk and slow hackers
                                                              down, giving application developers
                                                              and enterprises an opportunity to
                                                              patch defects before hackers create
                                                              tools to exploit the vulnerabilities in
                                                              the wild.

                                                                                                                  24

INTRODUCTION                 RESEARCH CENTER          THREAT INSIGHTS       SECURITY WATCH              CONCLUSION

                                                                                             2019 Ixia Security Report
5. Crypto-jacking Activity Reached
     New Peaks in 2018
     Ixia predicted the rise of crypto-miners in its 2017
     annual security report. Not only did this trend
     emerge, but hackers combined multiple classic
     attacks to deliver nearly autonomous malware,
     capable of spreading internally and building massive
     shadow networks dedicated to crypto mining. Ixia
     honeypots captured several new exploits that run
     an EternalBlue scan and, when successful, deposit a
     crypto miner onto the network.

     The meteoric rise of cryptocurrency value in 2018
     drove a new form of compute resource monetization.
     Classic malware tried to find something of value on
     a compromised system, often ransoming the data.
     With crypto-mining, the compromised system itself
     provides value through the mining of cryptocurrencies.
     It is easier for bad actors to mine for cryptocurrency
     than to ransom or steal something else of value.
     Detection poses little risk to the hacker using an
     anonymous cryptocurrency. This low-risk, high-reward
     environment means that ransomware is no longer the
     exploit of choice. Instead, many new exploits now
     focus on automating the installation and distribution of
     miner malware to as many hosts as possible.

                                                                                                                   25

INTRODUCTION             RESEARCH CENTER                  THREAT INSIGHTS   SECURITY WATCH             CONCLUSION

                                                                                             2019 Ixia Security Report
Cloud misconfigurations caused many data breaches
     in 2018. In many cases, organizations stored
     personally identifiable information (PII) in the clear in
     Amazon S3 databases. Plain-text storage, combined
     with human errors that exposed the database to
     hackers, caused many costly data breaches in 2018.
     While human error causes some of these incidents,
     others clearly stem from a lack of understanding of
     security best practices. Cloud security teams could
     benefit from working more closely with their on-
     premises IT security teams, leveraging best practices
     learned from years of on-premises IT application
     deployments. Cloud technology works differently,
     but that is no excuse for breach of PII. Your choice of
     technology platform will not reduce the fine levied for
     breach of personally identifiable data.

                                                                 Recommedation 5:
                                                                 Adding network visibility helps you
                                                                 see when someone or something is
                                                                 mining cryptocurrencies, so you can
                                                                 curb such activities.

                                                                                                                     26

INTRODUCTION             RESEARCH CENTER               THREAT INSIGHTS        SECURITY WATCH             CONCLUSION

                                                                                               2019 Ixia Security Report
SECTION

   04
    SECURITY WATCH
    LIST FOR 2019
    Based upon Ixia-collected data and
    historical activity, the Ixia ATI team predicts
    the following six trends for 2019:

     • Abuse of low-value endpoints will escalate

     • Brute-force attacks on public-facing
       systems and resources will increase

     • Cloud architectures create complexity that
       increases attack surfaces

     • Phishing will continue to evolve. As more
       companies begin using similar enterprise
       email systems (Office 365, G Suite), better
       phishes will help hackers get around
       defenses

     • Multiphase attacks that use lateral
       movement and internal traffic will increase

     • Crypto mining/cryptojacking attacks will
       increase

                                                                                                       27

INTRODUCTION         RESEARCH CENTER          THREAT INSIGHTS   SECURITY WATCH             CONCLUSION

                                                                                 2019 Ixia Security Report
Trend 1:                                                  Trend 2:
                Abuse of Low-value                                       Brute-force Attacks on
               Endpoints will Escalate                                  Public-facing Systems and
                                                                         Resources Will Increase

     Until basic security hygiene improves, hacks like Mirai   This attack vector has existed for close to 20 years.
     and cryptojacking will continue unabated. With more       While solutions exist to eliminate this attack vector, we
     devices connecting to the internet every day, the         continue to see the same mistakes made repeatedly
     number of targets continues to increase — and so will     by vendors and IT practitioners. It appears there
     the number of victims.                                    will always be a server out there with the username
                                                               “root” and the password “password” that a hacker
                                                               can exploit. Individuals can prevent attacks on
                                                               their systems by changing default credentials, but
                                                               only adoption of two-factor and public/private key
                                                               authentication will provide a permanent solution.

                                                               Brute-force exploits will also increase significantly
                                                               for enterprises and carriers with the proliferation of
                                                               IoT devices. Many forget, or do not understand, that
                                                               these devices ship with default credentials. In addition,
                                                               the devices are actively broadcasting — so they can
                                                               connect to an internet router and relay data. Attackers
                                                               can exploit this mechanism to connect to the IoT
                                                               device and take it over.

                                                                                                                              28

INTRODUCTION             RESEARCH CENTER              THREAT INSIGHTS             SECURITY WATCH                  CONCLUSION

                                                                                                        2019 Ixia Security Report
Trend 3:                                                 Trend 4:
           Cloud Architectures Create                             Phishing Attacks Will Become
           Complexity That Increases                              More Focused During the Next
                Attack Surfaces                                            Two Years

     On-premises architectures gave security personnel        Enterprises invest thousands to train employees to
     complete control of their equipment and architecture.    recognize phishing attacks. In response, hackers
     Public cloud-based solutions give no control over        create better phishes that are less obvious to
     server and network architecture. Attacks like            victims, and more targeted. Growing Office 365
     Spectre (CVE-2017-5753) and CVE-2019-6260                and Google G Suite adoption will help slow down
     are just the beginning of the new types of attacks       phishing momentum. Both tools provide some
     aimed at cloud users and their data. The speed           phishing indicators. However, well planned attempts
     and dynamic capabilities of public clouds have           will get past these newer defenses. Hackers will
     unfortunately exposed a new attack vector: service       relentlessly attack any system that provides a larger
     misconfiguration. Misconfigured services provide         potential payoff.
     an open gate that hackers and bad actors can walk
     through, often with disastrous results.

                                                                                                                          29

INTRODUCTION            RESEARCH CENTER               THREAT INSIGHTS             SECURITY WATCH              CONCLUSION

                                                                                                    2019 Ixia Security Report
Trend 5:                                                  Trend 6:
          Multiphase Attacks That Use                                      Crypto Mining and
         Lateral Movement and Internal                                   Cryptojacking Attacks
              Traffic Will Increase                                           will Increase

     Malware dwell times can exceed 100 days. Malware          For decades, hackers sought to compromise systems,
     often goes undetected because command and                 steal data, and more recently ransom computers. A
     control traffic is sporadic, hidden like a needle in a    shift has occurred, where new attacks target the
     haystack and disguised to look like normal HTTPS          systems themselves. Rather than stealing data at
     traffic. Many organizations only monitor at ingress       rest, attacker use compromised systems for crypto
     and egress points in their network. As attacks grow       mining. Old unpatched vulnerabilities previously
     more sophisticated, we expect detection times will        used for ransomware or DDoS networks are easily
     continue to grow longer. We also expect attackers         exploited to deliver crypto mining software.
     to utilize more LAN-to-LAN attacks, hoping to avoid       Advanced crypto miners do not depend on classic
     detection by abusing the trust of internal traffic.       command and control architectures, making
     Micro-segmentation can increase visibility, helping       them harder to detect and prevent fluctuating
     detect and catch lateral movements.                       cryptocurrency values may slow the growth of mining
                                                               networks, but mining will continue to offer financially
                                                               attractive incentives to hackers looking to make some
                                                               quick money.

                                                                                                                           30

INTRODUCTION             RESEARCH CENTER               THREAT INSIGHTS           SECURITY WATCH                 CONCLUSION

                                                                                                      2019 Ixia Security Report
SECTION

   05
    CONCLUSION
     In 2018, we observed important shifts in
     the threat landscape. We observed new
     malware variants, and new versions of well-
     known legacy exploits. We observed many
     security breaches due to misconfiguration
     errors, and we saw this trend extend further
     into cloud-hosted software and services.
     Cloud services offer nearly instant access
     to a wide variety of scalable platforms
     and services, but with that speed comes a
     rapidly expanding attack surface, and more
     opportunities for human error.

                                                                                                   31

INTRODUCTION        RESEARCH CENTER       THREAT INSIGHTS   SECURITY WATCH             CONCLUSION

                                                                             2019 Ixia Security Report
Network complexity continues to rise and attack            IT teams can make many improvements to enhance
     complexity mirrors the network landscape. Some             their security architecture. We recommend that you
     attacks die off, while others are reborn as new variants   implement these activities now:
     year to year. The ever-changing landscape requires          • Perform a security patch analysis versus your
     vigilance and quick responses from your security team.        security control protections

     Our research also uncovered data that indicates that        • Analyze your public cloud security architecture,
     the following six items will pose the most threat to          and audit application access policies
     enterprises over the coming one to two years. We
                                                                 • Review password security practices for your IT
     suggest that you review your security architecture for
                                                                   systems and equipment
     the following threats:
      1. Abuse of low value endpoints will increase             Our research shows that basic security hygiene
         this year                                              practices could prevent or minimize the impact of many
                                                                breaches. Security teams that ignore these practices
      2. Brute force attacks will increase on your public
                                                                are more likely to suffer a breach.
         facing assets
                                                                Patch analysis may sound boring, but too often, a
      3. Cloud networks are increasing complexity, which
                                                                single engineer is responsible for patch maintenance
         is increasing attack surfaces
                                                                of an application or piece of equipment. If that
      4. Phishing attacks will become more focused over         engineer leaves the company, responsibility for
         the next two years                                     patch maintenance may fall through the cracks. Our
      5. Multiphase attacks that use lateral movements          data shows that in many cases, year-old unpatched
         and internal traffic will increase                     vulnerabilities allowed exploits to happen.

      6. Crypto mining attacks will increase

                  If you have vulnerable systems that you cannot
                  immediately patch, do you know whether your
                         security controls will protect you?

                                                                                                                             32

INTRODUCTION             RESEARCH CENTER                THREAT INSIGHTS            SECURITY WATCH                  CONCLUSION

                                                                                                       2019 Ixia Security Report
Another basic hygiene practice is default password
     security. IT professionals should remove factory
     default or well-known passwords before devices are
     deployed. This mitigates nearly all brute-force attacks
     and exploits. Brute-force attacks continue to work,
     because IT continues to deploy equipment with default
     passwords. Eliminating these passwords would
     eliminate this attack vector.

     Cloud architectures continue to grow in popularity.
     However, security personnel are often not involved
     in all aspects of cloud implementations. Enterprises
     learned long ago that stateful inspection firewalls and
     logs were insufficient to protect against application
     level attacks, but many cloud providers offer these
     features as standard defenses.

       Additional lines of defense
         are crucial to protect
       applications in the cloud.

                                                                                                                 33

INTRODUCTION              RESEARCH CENTER               THREAT INSIGHTS   SECURITY WATCH             CONCLUSION

                                                                                           2019 Ixia Security Report
As noted earlier, the number of data breach incidents
     rose in 2018, with more incidents attributed to
     misconfigured cloud applications and resources.
     Some common cloud security mistakes include
     failure to encrypt personally identifiable data,
     incorrect data access permissions, and unpatched
     code creating vulnerabilities in the application stack.
     Cloud technology works differently, but data breach
     laws and fines don’t discriminate. We here at Ixia, and
     the ATI team, understand these complexities and are
     here to help you safely navigate the ever evolving
     cyber world.

                                                                                                                34

INTRODUCTION            RESEARCH CENTER                 THREAT INSIGHTS   SECURITY WATCH             CONCLUSION

                                                                                           2019 Ixia Security Report
Ixia can help you secure your network, data,
                                       and applications. To learn how network
                                       packet brokers and taps can augment
                                       your security infrastructure to give you the
                                       visibility you need to act fast — ask for a
                                       demo, and we would be happy to show you
                                       what is possible.
                                                        Contact us at ixiacom.com

Find us at www.ixiacom.com
915-9331-01-4091 Rev A   I   © Keysight Technologies, 2019
You can also read